A proposal in Congress touted as increasing oversight of the National Security Agency could instead derail legal challenges to the U.S. government's warrantless demands for confidential customer data.

Legislation introduced last month by Patrick Leahy, chairman of the Senate Judiciary committee, alters the ground rules that currently permit U.S. companies to object to a secretive intelligence-gathering technique, called a national security letter, used by the federal government to obtain both individual and bulk customer records.

Part of Leahy's proposal prevents companies from directly challenging the legality of NSL requests in their local courts, meaning they need to rely on the Justice Department to initiate litigation in a jurisdiction of its own choosing -- a dramatic change that raises the cost of a legal challenge and reduces the odds of it succeeding.

"Leahy's bill seems to remove the ability of recipients to initiate their own challenges to an NSL gag order," said Matt Zimmerman, a senior staff attorney at the Electronic Frontier Foundation, which is litigating an NSL case in San Francisco. If the measure becomes law, Zimmerman said, EFF might not have been able to file its lawsuit in the northern district of California, and the Justice Department "most certainly would not have either."

That portion of Leahy's legislation may have been a response to EFF's recent success before Judge Susan Illston in San Francisco, who ruled in March that gag orders associated with NSLs were unconstitutional. Other federal courts have been more inclined to agree with the government's view of the law, especially in New York, where the Justice Department initiated a lawsuit in April to force Google to comply with an NSL.

Under the legislation, "the provider has to go to the government to object -- and then the government picks the court in the jurisdiction most favorable to them," said a representative of a U.S. company that's concerned about the negative impact of Leahy's bill if it becomes law. "It's astonishing that anyone would propose to remove the right of a provider to challenge directly, in their home district, an NSL that they view as unlawful."

Jessica Brady, a press aide for Leahy's Judiciary committee, repeatedly declined to answer questions about the legislation that CNET first posed last week.

NSLs are controversial because they allow FBI officials to send secret requests to Web, Internet, and telecommunications companies demanding "name, address, length of service," and other account information about users as long as it could be relevant to a national security investigation. No court approval is required, and revealing the existence of the NSL is not permitted, two characteristics that have led to ongoing debate about their constitutionality.

Recent disclosures by ex-NSA analyst Edward Snowden about domestic surveillance have highlighted the potential impact of companies' challenges to national security requests. Microsoft and Google are litigating cases before a secret court created under the Foreign Intelligence Surveillance Act, Yahoo won the right to release a partially redacted version of a FISA court opinion, and Google is currently wrangling over the legality of NSLs with the Justice Department in New York and San Francisco.

While NSLs predate the Patriot Act, the 2001 law significantly broadened their scope and led to a sharp uptick in their usage: the FBI issued 192,499 of the demands from 2003 to 2006, and 97 percent of NSLs include a mandatory gag order. One letter can be used to obtain full database dumps; BusinessWeek reported in 2005 that NSLs were used to demand "financial records covering about one million" visitors to Las Vegas.

The list of organizations that have objected after receiving an NSL, however, remains relatively short. It includes librarians, Google, the Internet Archive, Calyx Internet Access, and an unnamed telephone company represented by the EFF in its ongoing litigation that's now before the 9th U.S. Circuit Court of Appeals.

"Everyone should be free to file cases wherever it suits them," said Calyx's Nicholas Merrill, who successfully fought an NSL with the help of the ACLU and is planning to launch a privacy-protective Internet service provider. "It's not legitimate if one party tries to narrow down the venues to only ones that will help one side."

Nicholas Merrill, who successfully fought a national security letter, says "everyone should be free to file cases wherever it suits them."
Sarah Tew/CNET

The NSL-related components of Leahy's FISA Accountability and Privacy Protection Act are part of a broader bill that some privacy groups say would be generally beneficial. Other sections would accelerate surveillance-related sunset dates, make it more difficult for the NSA to vacuum up logs of Americans' phone calls, require more inspector general audits of NSLs, and increase the public availability of surveillance statistics.

"I have long been concerned about the broad scope of these secret requests, and the potential for expansive collection of sensitive information without appropriate limitations, and a sunset provision would help to ensure proper accountability," Leahy said in a floor speech last month. "Additionally, my bill would also address constitutional deficiencies regarding the nondisclosure or 'gag orders' by finally allowing individuals to challenge these orders in court."

Alex Adbo, a staff attorney with the ACLU's National Security Project, says, referring to the NSL language in Leahy's bill:

I can see how it might allow the government to forum shop by simply conducting its national security investigations in a a favorable district. I doubt that was the intent of it, but I agree that there at least two easy fixes: eliminating the second jurisdictional hook or making clear that recipients can themselves initiate the review.

Section 6 of Leahy's bill says that, if a U.S. company objects to an NSL's gag order, it must tell the Justice Department. The department then has 30 days to file a lawsuit. But, crucially, it decides where: the lawsuit may be filed where "the authorized investigation that is the basis for the request or order is being conducted" -- and the FBI can send NSLs from any field office.

Leahy, a former prosecutor, has a mixed record on privacy. Last year, he attempted a legislative fix to the Foreign Intelligence Surveillance Act that would have improved oversight, and his committee approved a bill in November requiring law enforcement to obtain warrants for e-mail. Leahy also criticized the FBI's efforts to require Internet providers to build in backdoors for law enforcement access.

The NSL sections of Leahy's current bill appear to be in part an effort to rewrite federal law after a ruling (PDF) from the 2nd U.S. Circuit Court of Appeals in 2008.

A three-judge panel of the Second Circuit took an unusual approach. The judges agreed that the "challenged statutes do not comply with the First Amendment" but went on to rewrite the statute on their own to make it more constitutional. They drafted new requirements, including that FBI officials may levy a gag order only when they claim an "enumerated harm" to an investigation related to international terrorism or intelligence will result.

Leahy's bill does permits a speedier challenge to the gag orders associated with NSLs, and it likely makes it easier for companies to win First Amendment cases challenging the orders. But it does not, crucially, go so far as to require the FBI to go to court before muzzling individuals or companies that receive NSLs -- meaning many of the free speech concerns remain.

"As a practical matter, I don't think the current version of Sen. Leahy's bill would move the ball forward much from a civil liberties standpoint," says Zimmerman, the EFF attorney who's litigating the group's NSL case. "And it seems to have the potential to make things worse."